Google must be brought to book

Google needs to be held accountable for what is one of the worst and most pervasive invasions of privacy from a technology firm in the world – and yet it manages to consistently evade any kind of repercussions for its actions.

Today the Information Commissioner’s Office (ICO) in the UK announced the final outcome of its investigation into the Street View snooping fiasco, stating that Google’s behaviour constitutes a “significant breach” of the Data Protection Act, despite saying in July that there was no significant personal data captured and that no detrimental effect had been caused.

But what is the real effect of this U-turn by the ICO? Google’s UK branch will be audited and the company will be forced to sign a document promising not to breach privacy again, with the threat of legal action if it fails to comply. And that’s it. A quick browse around the Google offices and a signature on a piece of paper – hardly what one would expect for such a monumental privacy breach.

The ICO U-turn appears to have been made in the face of other international investigations, where it was proven that the data Google collected included emails, URLs, and even passwords. The ICO said that in light of this, and Google’s own admission that personal data had been collected, “formal action” was deemed necessary.

The problem is that in the case of stealing passwords anyone else would be prosecuted. Many people responsible for the infamous ZeuS keylogging trojan have been arrested or jailed already, while Google can collect people’s passwords and walk away scot-free. Obviously it’s not quite the same situation and Google has not used this information to illegally profit, but it still begs the question as to why there appears to be one rule for the big companies and another for everyone else.

The ICO rejected calls for a monetary penalty, despite it being an appropriate action to take, but it did not rule out this option if Google does not fully comply with its demands. We know, however, that Google will do all it can to escape any further negative reputation from this debacle, so the ICO’s statement really amounts to an empty threat.

The ICO also wants Google to delete all of the data it illegally acquired in the UK as soon as it is legally cleared to do so. It will hardly have to order Google to do that, as Google has been clamouring to get rid of the evidence for some time now and has already done so in countries it was permitted to delete the data, such as in Ireland.

“It is my view that the collection of this information was not fair or lawful and constitutes a significant breach of the first principle of the Data Protection Act,” said Christoper Graham, the Information Commissioner. “The most appropriate and proportionate regulatory action in these circumstances is to get written legal assurance from Google that this will not happen again – and to follow this up with an ICO audit.”

According to the ICO, Google has agreed in principle to the following:

“To institute a policy that requires Google employees to be trained on Google’s code of conduct, which includes sections on privacy and the protection of user data and the legal requirements applying to the protection of personal data in the UK.

“To enhance the core training for engineers and other important groups with a particular focus on the responsible collection, use and handling of data.

“To institute a security awareness program for Google employees, which will include clear guidance on both security and privacy.”

Is signing a document really enough though? Does this not send out a message to other potential breachers of privacy that they might just get away with it, and that, if they are indeed caught, there are no consequences for these actions? Money talks.

While Google may have not intended any of this, good intentions are meaningless in the face of inexcusable actions that go unchecked. Google needs more than a tame slap on the wrist, which may come from one of the many other investigations into Street View going on around the world.